18

I'll try to make this succinct as possible.

I want to be able to encrypt & decrypt simple strings using OpenSSL, which I have done before.

HOWEVER, the following conditions must be met:

  • Simple passphrase use (no keys)
  • No input/output files
  • No prompt for passphrase (specify via command-line options for either direction)

I'm 50% there. I can successfully perform ENCRYPTION via:

echo 'someTextIWantToEncrypt' | openssl enc -e -aes-256-cbc -nosalt -pass pass:mySecretPass

The output result is:

(??b}n??v???>??G??.?B??~?

OK, great. Now I want to DECRYPT that string. So I do:

echo -n '(??b}n??v???>??G??.?B??~?' | openssl enc -d -aes-256-cbc -pass pass:mySecretPass

or even as an alternative:

openssl enc -d -aes-256-cbc -pass pass:mySecretPass <<< '(??b}n??v???>??G??.?B??~?'

But I get this response:

bad magic number

Though I don't want to use input/output files, that method DOES work 100%:

# encrypt to file
echo -n 'someTextIWantToEncrypt' | openssl enc -e -nosalt -out test.txt -aes-256-cbc -pass pass:mySecretPass 

# decrypt from file
openssl enc -d -nosalt -in test.txt -aes-256-cbc -pass pass:mySecretPass

# result of decryption (is successful):
someTextIWantToEncrypt

So ... how can I achieve the above decryption process without using input/output files whatsoever? I feel I am close, but missing some small detail.

Thanks in advance.

Improve this question

3 Answers 3

Reset to default
34

The problem is that encryption uses the entire ASCII character set, including unprintable characters. If you want to be able to cut and paste the encrypted data, you need to convert it to only printable characters. You can do this with the -base64 (or -a) option:

echo 'someTextIWantToEncrypt' | \
  openssl enc -base64 -e -aes-256-cbc -nosalt -pass pass:mySecretPass

KPkBkGJ9bs4YHvh24xz7m9jTlYWm1LcIFcWR0DwY4PU=

Then decrypt it the same way:

echo "KPkBkGJ9bs4YHvh24xz7m9jTlYWm1LcIFcWR0DwY4PU=" | \
  openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:mySecretPass

WARNING: If you're using openssl, I can only assume the confidentiality of the data, and therefore the password, is important to you. If that's the case, you should never supply a password on the command line, because it can be exposed to anyone with the privilege to run ps.

A better solution is to store the password in an environment variable and have openssl read it from there:

export passwd="mySecretPass"
echo "KPkBkGJ9bs4YHvh24xz7m9jTlYWm1LcIFcWR0DwY4PU=" | \
  openssl enc -base64 -d -aes-256-cbc -nosalt -pass env:passwd
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

You are correct, and I have figured this out -- you are correct as well as the individual who helped me. Props go to both of you. Since I am so new to this site, it wouldn't let me answer my own question for another few hours. In any case, THANK YOU!
And as an aside, you're also correct about the "better" solution. All I can say is that this is a working Proof-Of-Concept, and to complement your remark, the end-goal IS to do a more secure "storing" of such information and not expose it to the command line. Kudos to you Adam Liss.
In that case, I'd respectfully suggest you solicit a review by a security professional. You see a lot of plausible--but utterly vulnerable--implementations during 15+ years in the business.
Wholeheartedly agreed - in addition, if this POC ever matures to a feasible state, it will be community driven ultimately.
On short strings like this you should use a salt. Otherwise the encrypted output of the same input, using the same key will always be the same. so allowing an attacker to substitute strings, or just identify when known strings are occurring.
|
0

Decrypt

#!/bin/bash
clear 
# encrypt to file
echo "enter choice "
echo "1-dakr"
echo "2-gakr"
read choice 
case $choice in
1 )
echo "text?"
read text
echo "pass?"
read pass

echo -n '$text' | openssl enc -e -nosalt -out test.txt -aes-256-cbc -pass pass:$pass 
;;
2 ) 
# decrypt from file
echo "pass?"
read pass
echo "path?"
read path
openssl enc -d -nosalt -in $path -aes-256-cbc -pass pass:$pass
;;
* )
echo "shcd"
;;
esac

Output of Decrypt is $text how to fix it?

Improve this answer

4 Comments

Could you please explain exactly what the issue is? How to fix what? What are you expecting the program to do?
i want to encrypt string and save in text file programd does this well but when i choose decrypt then i select file path (where encryoted text is saved) but output is $text instead of decrypted string
could you add this to your question? This way others can understand exactly what the problem is.
Use double-quotes instead of single-quotes: echo -n "$text" | openssl ... or without quotes entirely: echo $text | openssl ...
0

I know this is old, but someone else just showed me this question. I have a TCL script that achieves this easily, and can just be modified to work with whatever shell you're using, it contains these lines:

if {[catch {set lines [exec echo -n $tte | openssl enc -$cipher -a -pbkdf2 -iter $iterations -pass pass:$fkey]} msg]} {
     tk_messageBox -message $msg
     return
}

Where $tte = text to encrypt, $cipher and $iterations are self explanatory, and $fkey is the password passed to openssl. Just add a -d switch to decrypt.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.